On 12/4/09 7:36 AM, Mary Ellen Zurko wrote:
>> Same-origin is about preventing Cross-Site Scripting (XSS) attacks.
>
> Not to be a total pedant, but since this is an issue near and dear to my
> heart...
>
> same-origin is about mitigating XSS, not preventing it, right? Since in
> web apps that allow users to collaborate with content that might include
> (D)HTML, same-origin is of no help at all. right?
The same-origin policy has been so effective at preventing direct
scripting across sites that most "XSS" attacks people are familiar with
have been various ways of injecting the code into the victim site
through site flaws, bypassing the browsers' same-origin checks. But
every new client feature has to take the same-origin policy carefully
into account to avoid creating new client-side XSS avenues.